Welcome to Texas justice: You might beat the rap, but you won't beat the ride.

Sunday, March 06, 2005

High-tech solutions can't stop fake IDs

Did you have a fake ID in high school? I did. I had one for years, from when I was perhaps 16 years old or so. Smith County, where I grew up in East Texas, was "dry," so we'd drive 30 miles down state highway 31 to Kilgore in Gregg County, where to this day a passel of run-down liquor stores sit invitingly just across the county line. It was never rejected.

In fact, ultimately I had two fake IDs. Like Charles Kuffner, I'm one of the unhappy few Texans back in the 1980s who reached 19 years old, could legally drink for a few months, then saw the laws change to restrict drinking again until I was 21, so I had to get a second fake ID when I was in college. I don't really recall how I got them, or from whom, but it wasn't difficult, and I didn't know any underage folks who wanted to drink who found the ID thing to be a real barrier.

Supposedly, 9/11 upped the ante on fake IDs. Forget for a moment that the actual hijackers had real IDs issued by government agencies based on forged primary documents. None of these new high-tech ID card programs would have affected what they did at all. Regardless, though, technology vendors, motor vehicle registration agencies, and most of all the Bush Administration are promoting the wrongheaded notion that throwing more high tech gadgetry at the ID problem will solve it.

This technophile reaction to 9/11 holds that every potential danger can be resolved by purchasing this facial recognition technology or that newfangled, bar-coded ID to prevent terrorism. It won't. It can't even prevent 19-year olds from buying beer, much less prevent committed adults willing to give their own lives from killing a lot of people.

The frantic search for techological solutions doesn't even make sense. The terrorists' strategy on 9/11 was to use LOW-tech means to exploit our society's reliance on high tech gizmos -- they used box cutters to take over a plane, for heaven's sake -- so the high-tech solution is obviously, precisely the WRONG strategy to confront the direct threat, like fighting fires with gasoline.

A fascinating article in this morning's New York Times demonstrates to me the fallacy of thinking technology can stop a creative, determined opponent from getting a fake ID. Titled, "The ID Wars: The Fakes Gain," the fascinating conclusion is even worse than the title -- the fakes were always ahead, and those who would prevent the creation of fake IDs do not now and have never been able to do so. All the new technology brought to bear on the problem has been stymied, or even made things worse as the pool of people technically qualified to make sophisticated fakes has grown exponentially.

Despite these obvious unintended consequences to the security crowds techno-fervor, vendors and government agencies continue to tout endlessly more expensive high tech solutions, always justifying them with trying to prevent terrorism:

While getting a fake ID is a right [sic] of passage for many young people who want no more than access to the occasional six-pack or campus pub, the potential security threat posed by forged drivers' licenses - most prominently, the threat of access to commercial airliners - has cast the old barroom conflict in a new light.

"People think of fake ID's for buying beer or cigarettes when you're 19," said Sgt. William Planeta, who runs the New York Police Department's document fraud squad. "But it has a lot of different implications in a post-9/11 world. You can use that fake ID to do all sorts of things."

In an effort to catch up with counterfeiters, therefore, the government and a growing document verification industry are turning to both legislation and technological innovations. "We're going to give the fake ID a run for its money," said James E. Copple, the director of the nonprofit International Institute for Alcohol Awareness at the Pacific Institute for Research and Evaluation, with headquarters in Maryland, which studies public health.

That gentleman, Mr. Copple, is kidding himself -- or else blowing smoke to justify his next research grant or pet vendor's product. Those kids are going to run him to death. He'll never be smarter than a million committed underage would-be drinkers. Not on his best day. Not on anybody's. They know what they want, have money to get it, and that level of high-dollar demand will cause market solutions to avail themselves. Reported the Times:

"ID's made by students tend to be much better than ID's you buy in the Village or Times Square," said a 19-year-old Columbia sophomore who has a fake driver's license and asked not to be identified for fear of the police. As for the importance of having a fake ID, she said: "All of my friends have fake ID's, everyone I know from high school and all my friends at school. It's definitely a necessity."

Over time, technology, skills, and high-tech resources have become cheap and available to anybody, in particular to many, many students. New high-tech ID card gadgetry, by the time it's identified by the govenment, researched, opened for bids, a vendor is chosen, and the technology is used in the real world, often has already been rendered antiquated upon its release by the rapid-pace growth of cutting edge technology, and lots of people know how to manipulate it. Said the Times:

THE nation's fixation with security cards and ID systems has also been a boon for manufacturers of fake ID's. The widespread use of corporate ID's has created a large pool of people who know the inner workings of the security features in the cards. In online chat rooms dedicated exclusively to the manufacture of fake ID's, unscrupulous members of this pool - including some drivers' license bureau workers, the police say - share or sell information about security features and even run a black market in the more sophisticated components of ID's.

"There are guys online who manufacture the bar codes and holograms," said the Columbia student who made fake ID's. "The hologram like on a Texas will glow. I can order that." ...

Licenses store information in two formats: magnetic stripes like those on credit cards, and two-dimensional bar codes, strips of small dots arranged to convey information in a kind of graphic Morse code. Magnetic stripes can be erased with a magnet and reprogrammed with, say, a new birth date, using basic ID-making equipment, and bar codes can be photocopied or transferred from a legitimate ID to a fake one.

None of the current drivers license re-engineering proposals in Texas will stop fake ID-makers who are able to do all that. I can't think of any that would, and if they did, the idea would probably be outdated by the time it hit the streets. The technical capabilities and physical means for making fakes have simply become too democratized and well-dispersed to think ID cards can be a source of absolute security. Texas DPS was awfully proud of that hologram, for example, bragging to the Legislature when it was implemented, just as we hear now, that it would solve the fake ID problem. Instead, the kids think it's a joke and it hasn't even come close to stopping the fakes. The Times described a Louisiana case where LSU students were manufacturing "perfect" Texas IDs:

Often when the police encounter a fake ID these days, they are more interested in getting information on who made it than in prosecuting the under-age user.

That was the case in Louisiana in late 2003, when a 19-year-old L.S.U. student named Corey James Domingue died of acute alcohol poisoning after using a fake Texas driver's license to buy four fifths of liquor from a local Winn-Dixie supermarket. By questioning Mr. Domingue's roommate and friends with similar forged ID's, Louisiana authorities were able to unravel a high-tech ring that had issued thousands of counterfeit licenses.

"These kids built their own computers from scratch," said Steven E. Spalitta, the enforcement director of the Louisiana Office of Alcohol and Tobacco Control, who handled the case. "We learned the ID's were not just perfect but they were encoded. There's almost no way you can tell it's a fake with the naked eye."

In all, five people pleaded guilty to forgery and a sixth is facing trial. Using computer records Mr. Spalitta's agency also tracked down and issued hundreds of criminal citations to students who bought fake ID's from the ring.

The worst part, I'll guarantee there were 20 more ready to take their place. They're never going to stop that. If every 19 year old who wants one can get a fake ID, then no terrorist would have any difficulty -- that much of the technophile's arguments are true. But the nexus of possibility they fear has nothing to do with how the terrorists attacked us -- they planted sleepers in the U.S. who had legitimate documentation, not crude, dorm-room fakes. It's a logical fallacy, then, to conclude that to stop the terrorists, one must prevent underage drinkers from getting fake IDs. The latter may be a desirable goal, and society may even decide it's worthy of investing substantial resources to try, however futilely, to do so. But everyone should be clear -- it has nothing to do with Al Quaeda or stopping terrorism.

High-tech government ID schemes are expensive, speculative, and, to judge from recent technological history and trends, doomed to fail at the goal of preventing their reproduction. They serve only to limit and regulate the law abiding. Anybody determined to obtain a fake ID will find a way to do so.

13 comments:

I'd like the thrust of the article to be true but I don't think it is.

I think most of the fake id methods will fail with the addition of biometric identifiers and a widespread network. How are you going to buy beer when the convenience store clerk asks you to step up to the iris scanner and either the red or green light comes on after a quick database search.

Take it one step further and lets assume you must put your hand into a "shackle" which closes if you don't get the green light. Every faker with the courage to try is automatically aprehended.

Not a pretty picture but it is the direction we are headed. Sure, there will be some innocent people who get the shackle but that doesn't seem to bother most people in the current environment.

All the biometric identifiers do is tell you that the individual with their iris scanned is the same person whose information is on the magnetic strip on the back of the card. Since students can already manipulate that magnetic strip information, they can add iris scan info, too, when it comes to that -- especially since government implementation of the program would take years of ramp-up time. By the time a convenience store will have an iris scanner, the technology will be well-dispersed and widely available for counterfeiters to use. Remember, an iris scan is just a piece of data, like your address or your phone number. Couterfeiters can add that onto the card, too, no problem. I don't see biometrics' advancement at all changing the fake ID scenario -- in practice, the more high tech the IDs get, the larger the scale on which they're being faked. If that seems counterintuitive, it's also empirically true.

Also, the shackle idea, while intriguing, would never pass constitutional muster because the convenience store clerk has no authority to detain you. While we have entered the world of Big Brother, for sure, we haven't gone that far, yet, I hope.

I think you misread what I wrote. There is no need for a card at all. The iris at the counter is matched (through a network) with the record in the database. About the only way to "fake out" the system is to have a fake eye. That is possible but can be easily controlled.

Are the economics prohibitive? Well, we currently have about 17,000 retail lottery locations in Texas. (Thats more than twice as many locations as we have package stores. I bet most package stores also sell lottery tickets.) Every lottery retailer has a network connection between his ticket printer and the lottery headquarters. Just add a few iris scanners to the USB port on the ticket printer and VOILA!!

"Big Brother" can win the technology war. Successfully opposing Big Brother will require a lot of will and a lot of work by a lot of like-minded people. Other than blogs, technology won't be that much help.

Grits for breakfast piggybacks on a New York Times article which suggests that it is futile to expect that driver's licenses will continue to be foiled by teenagers desperate for getting into bars.

To make his case, Grits sets up an identification strawman, describing how the technology of 2-D bar codes and magnetic strips can be defeated.

Unfortunately, Grits hasn't been keeping up with the latest technology of advanced watermarks, encrypted chips, digital certificates and digital signatures. For example, with digital signatures, any attempt to modify the data on the chip leaves the signatures unreadable by most card readers.

The encryption on the new wave of cards is also significant. For instance, the Progressive Policy Institute suggests that "Ten thousand computers working simultaneously for 22 hours are required to break a 56-bit key. Current cards employ 128-bit keys, and future versions will feature 256-bit keys, so it will take much longer to intrude into these--far longer than the time it takes to revoke the card entirely."

I'd be careful about reading too much into a New York Times article where the author has a conclusion in mind and then finds evidence to support it. This is the first no-no in the scientific method and I think it should apply to journalism.

And even if a few people can crack more advanced technology on the way, that is no argument to not go forward. The key is do we raise the bar on identity thefts and make it harder for them to keep up with their illegal trade.

Texas Feller: The database you describe doesn't exist, and an effort to create it in 2003 was voted down 111-26 in the TX House. I don't see it happening any time soon.

And Dennis, I tried to post this comment on your blog but had some weird server error. Since you've included your post in the comments, I'll put it here:

It's always easy to sound certain predicting the omnipotence of new technology. When Texas DPS put the hologram on TX drivers licenses, they told the Legislature it would put a stop to ID theft once and for all. But by the time the solution was fully rolled out, any 19-year old with photoshop could mimic it. I predict the same will be true with other technologies, since what's new today is old hat tomorrow, and certainly by the time it's implemented years down the line. The argument that computers are too slow to do "X" changes constantly as computers' speed increases year after year.

The democratization of the skillset is the key factor -- with so many people knowledgeable about the details of security technology, it only takes a handful deciding to misuse the knowledge to screw the whole system.

High tech solutions empirically so far have expanded the number of fake IDs, not diminished them. When fakes were made by an art student with an exacto knife, it was on a relatively small scale. Now, the reliance on electronic gadgetry makes it as easy to produce 10,000 fakes as one. They've made IDs less secure, not more.

I appreciate your commenting on comments. You just reported on the DPS having an RFI for facial recognition technology. The DPS by now probably has close to 100% of the thumbprints of people with drivers licenses. Instead of an iris scan, use a thumbprint scanner. With one vote of the legislature, the existing database could be made widely available.

I disagree with your belief that widespread knowledge of technology protects us from "Big Brother" or at least the ability to have near-perfect identification methods. Your belief provides false comfort. I think the wiser path to take is to show how easy it would be to implement near-perfect id methods. Then the task is to show why it would be a bad idea to implement them. Or, if implemented, how we could restrict the use of near-perfect id methods.

My fear is that we don't have good arguments for maintaining a vestige of privacy or anonymity. I think a majority of the voting public would say near-perfect identification is a good idea and should be used widely and soon by every government and business enterprise.

Thanks, Texas feller. I understand your concerns, and if you read some of the linked Grits biometrics coverage you'll see I've been making a lot of those privacy arguments. But I also think the technology is being oversold as to its capabilities. I don't see that it's a conflict to make both arguments, and as many others as we can come up with, besides.

BTW, I met with DPS this morning (that's where I found out about the RFP), and they say that the fingerprints they've been gathering are unsearchable because it's harder to get a valid print than it might seem, and if you don't get the angle, pressure, etc., right the prints won't match. They anticipate that, if they implement new scanner technology, the print database may be functional in 12 years! Meanwhile, unless they successfully change the law, they still don't have the authority to use that data for anything but verifying your ID when you get a drivers license, not in the convenience store or in any other context.

To me, debunking overstated claims of effectiveness is part and parcel of arguing to protect privacy. But even if the technology is 100%, the privacy-tradeoff issue you'd prefer to emphasize still plays well with the new Republican majority at the Lege, in a lot of ways, better than it used to with the Democrats.

Perhaps you can point me to a tutorial or a list of rationales that supports the constraints on "big brother" identity and tracking technologies. I am not arguing here but looking for a set of well-conceived talking points. Let's assume that there is a VERY good method of positive identification. I have trouble making a factually convincing argument for a right of privacy.

Hell, Texas feller, it wouldn't bother me if you WERE arguing! When my Mom was alive she always said I'd argue with a tree stump.

I'd suggest you look at the arguments in my biometric blues series, for starters, and in other recent coverage on biometrics (search at the top left). There's more points to be made, but that's a start.

At issue is the fact that young people are still dying every day from alcohol-related causes and we all seem content to just let it happen because, "We can't do anything, they're going to get it anyway."

Mr. Copple is simply trying to implement a system that could effectively impact youth access to the item that is speeding up this untimely, unnecessary death process. The future legislation, he has helped to create, paired with the possiblity it may soon become a felony offense to possess a falsified government document, i.e. a fake ID, can make the decision to purchase and use a fake ID a little weightier for the young drinker/smoker.

you dumb asses. Implementing the iris scan and/or thumb scan won't change anything. Students, like me, will always beat the system. Us college kids have such an outrageous amount of resources at our disposal. Plus, with the thum and iris scanner, kids today already buy fake IDs that belong to different states in the union because people in their own states know the tricks with fake IDs. If a person carries a fake ID from another state, they can't be asked to take a thumb scan or an iris scan. THose are state tests, not federal. Yes states can share that information but they NEVER do. You can be an at large drug dealer and cross a state line and be okay, as long as you don't get arrested. You might even be able to get arrested if the warrent out for your arrest isn't large enough to pop up on a national screen. The point is however that the fake ID will never be beat. We are too good at it. Not to mention, many stores don't really give a shit about underage kids, they just want them to have some sort of fake identification so that the store doesn't get in trouble for selling.

"I always tell people interested in these issues that your blog is the most important news source, and have had high-ranking corrections officials tell me they read it regularly."

- Scott Medlock, Texas Civil Rights Project

"a helluva blog"

- Solomon Moore, NY Times criminal justice correspondent

"Congrats on building one of the most read and important blogs on a specific policy area that I've ever seen"

- Donald Lee, Texas Conference of Urban Counties

GFB "is a fact-packed, trustworthy reporter of the weirdness that makes up corrections and criminal law in the Lone Star State" and has "shown more naked emperors than Hans Christian Andersen ever did."

-Attorney Bob Mabry, Conroe

"Grits really shows the potential of a single-state focused criminal law blog"

- Corey Yung, Sex Crimes Blog

"I regard Grits for Breakfast as one of the most welcome and helpful vehicles we elected officials have for understanding the problems and their solutions."

Tommy Adkisson,Bexar County Commissioner

"dude really has a pragmatic approach to crime fighting, almost like he’s some kind of statistics superhero"

- Rob Patterson, The Austin Post"Scott Henson's 'Grits for Breakfast' is one of the most insightful blogs on criminal justice issues in Texas."

- Texas Public Policy Foundation

"Nobody does it better or works harder getting it right"

David Jennings, aka "Big Jolly"

"I appreciate the fact that you obviously try to see both sides of an issue, regardless of which side you end up supporting."

Kim Vickers,Texas Commission on Law Enforcement Officer Standards and EducationGrits for Breakfast "has probably broken more criminal justice stories than any TX reporter, but stays under the radar. Fascinating guy."

Maurice Chammah,The Marshall Project"unrestrained and uneducated"

John Bradley,Former Williamson County District Attorney, now former Attorney General of Palau

"our favorite blog"

- Texas District and County Attorneys Association Twitter feed"Scott Henson ... writes his terrific blog Grits for Breakfast from an outhouse in Texas."